First, the malicious code was injected in legitimate payment gateway files, so regular inspections that scan websites' public HTML or look for suspicious file additions wouldn't yield any results.